CVE-2019-3498

Advisory

In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. See: CVE-2019-3498.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

==========================

*January 4, 2019*

Django 2.1.5 fixes a security issue and several bugs in 2.1.4.

CVE-2019-3498: Content spoofing possibility in the default 404 page
-------------------------------------------------------------------

An attacker could craft a malicious URL that could make spoofed content appear
on the default page generated by the ``django.views.defaults.page_not_found()``
view.

The URL path is no longer displayed in the default 404 template and the
``request_path`` context variable is now quoted to fix the issue for custom
templates that use the path.

Bugfixes
========

* Fixed compatibility with mysqlclient 1.3.14 (:ticket:`30013`).

* Fixed a schema corruption issue on SQLite 3.26+. You might have to drop and
rebuild your SQLite database if you applied a migration while using an older
version of Django with SQLite 3.26 or later (:ticket:`29182`).

* Prevented SQLite schema alterations while foreign key checks are enabled to
avoid the possibility of schema corruption (:ticket:`30023`).

* Fixed a regression in Django 2.1.4 (which enabled keep-alive connections)
where request body data isn't properly consumed for such connections
(:ticket:`30015`).

* Fixed a regression in Django 2.1.4 where
``InlineModelAdmin.has_change_permission()`` is incorrectly called with a
non-``None`` ``obj`` argument during an object add (:ticket:`30050`).


==========================

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3498
• https://www.djangoproject.com/weblog/2019/jan/04/security-releases/
• https://groups.google.com/forum/#!topic/django-announce/VYU7xQQTEPQ
• https://docs.djangoproject.com/en/dev/releases/security/
• https://www.debian.org/security/2019/dsa-4363
• https://usn.ubuntu.com/3851-1/
• https://lists.debian.org/debian-lts-announce/2019/01/msg00005.html
• http://www.securityfocus.com/bid/106453
• https://lists.fedoraproject.org/archives/list/[email protected]/message/HVXDOVCXLD74SHR2BENGCE2OOYYYWJHZ/